Extracting Objects from a Running Process

Few days ago two new 0-days have been spotted in the wild: CVE-2013-0633 and CVE-2013-0634, both of them involving a .swf file, possibly embedded inside a Word Document. It might be interesting to understand how to dump a similar resource while the attacked process is running, after all the obfuscation layers are cleared. Clearly this same technique can be expanded to extract any type of object from any process, as an example whenever we need to simply dump a memory area, or when we need to extract (or find) an entire object. While memory dumpers are usually common tools, it might be interesting to understand how the dumping process works. So let’s dig a bit deeper.

Step 1: Understanding Windows Address Space

The virtual address space of a process is the set of virtual memory addresses that the process is allowed to use. In the default Virtual Address Space for 32-bit Windows processes, the lower 2GB: from 0x0 through 0x7FFFFFFF, are assigned to the running process while the other 2GB are normally used by the system.

Step 2: APIs to get system information and to access a process memory

2.1 Processes list

In order to read a given process memory, we need to acquire its handle and in turn, to do that we need to iterate the list of processes until we find the one we are looking for. Process enumeration is performed through the use of EnunProcesses() API, the code is quite simple:

2.3 Dump the object

Once we have found a signature in memory, we can dump the object, provided we know its size and where to find this information: according to SWF specification the length field is an UInt32 (DWORD) at start+4: